- Enumeration
Nmap scan result
Two open ports as shown above , port 22 and 80 . Time to open browser and see what is in the port 80. As always add machine ip address to the list of hosts i.e ‘/etc/hosts’
This is how the home page look like. Directory search is the first idea came to mind when saw i web page like this but it did not give anything .
Then I moved to the subdomain enumeration to see if there are subdomains i can access. There are many tools to accomplish the task , and i choose ‘gobuster’ and this is the full command i used and its out put.
Add the subdomain to the list of hosts. After opening it, i found another web page with static links.
By using Wappalyzer i found some information about the web site
Directory brute forcing can help to find hidden directories, Tool of my choice is “dirsearch”
After using “dirsearch” i found “/adminstrator/”
First thing first,i did some google search and found recent vulnerability regarding joomla . CVE-2023–23752
i found this exploit from https://github.com/Acceis/exploit-CVE-2023-23752. i downloaded the exploit into my machine and run it.
After getting credential about user “lewis” , i tried to use the credentials to login, and loged in as administrator
2. Initial Foothold
To gain initial foot hold , i took some time to look into extensions but it did not work out. Then tried to check on templates especially administrator templates.
Tried to edit template and put php reverse shell in it . Other “.php” files did not work out but index.php worked.
i started a listener to my machine before saving modified template. After saving the modified template, i got connection.
By using mysql database info i found before, i logged in to the database to see what i can find
List databases with the following command ‘show databases;’
Try to see what tables are in joomla database.
From the list of tables , table ‘sd4fg_users’ was the one with users.
Trying to crack the password for ‘logan’
Command to crack the hash: “hashcat -m 3200 <hash_file> <wordlist>”
Then ssh login by using logan’s credentials
From here i obtained user flag .
3. Privilege Escalation
Tried to what user “logan” can run with sudo
‘/usr/bin/apport-cli’ looked weird to me then i had to paste it on google
apport-cli is a command line frontend for reporting those crashes to the developers. It can also be used to report bugs about packages or running processes.
CVE-2023–1326 [privilege escalation]
Concept of this vulnerability is that , unprivileged user can execute this binary with root privilege .
Started to create a crush report .
After creating a report, there are several options and i choose to read the report.
A way to get shell with root privilege is to type “!/bin/bash” when the report has been sent .
I got shell with root privilege Successfully !!
